Overview:
Sanitize or destroy information system media containing CUI before disposal or release for reuse.
Action Items:
3.8.3[a]
Determine if: system media containing CUI is sanitized or destroyed before disposal.
3.8.3[b]
Determine if: system media containing CUI is sanitized before it is released for reuse
POTENTIAL ASSESSMENT METHODS AND OBJECTS
1
Examine: System media protection policy; procedures addressing media sanitization and disposal; applicable standards and policies addressing media sanitization; system security plan; media sanitization records; system audit logs and records; system design documentation; system configuration settings and associated documentation; other relevant documents or records].
2
Interview: Personnel with media sanitization responsibilities; personnel with information security responsibilities; system or network administrators].
3
Test: Organizational processes for media sanitization; mechanisms supporting or implementing media sanitization].
Related Documents (document name and content will vary by organization):
1) System media protection policy
2) procedures addressing media sanitization and disposal
3) applicable standards and policies addressing media sanitization
4) system security plan
5) media sanitization records
6) system audit logs and records
7) system design documentation
8) system configuration settings and associated documentation
9) other relevant documents or records
Additional Guidance:
This requirement applies to all system media, digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include: digital media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices; and non-digital media such as paper and microfilm. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is released for reuse or disposal.
Organizations determine the appropriate sanitization methods, recognizing that destruction may be necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, destruction, removing CUI from a document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing the words or sections from the document. NARA policy and guidance control the sanitization process for controlled unclassified information. See NARA Sanitization Policy and Guidance. NIST Special Publication 800-88 provides guidance on media sanitization.
Article ID: 171
Created: September 26, 2022
Last Updated: September 26, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/nist-800-171-media-disposal-and-reuse-3-8-3-171.html